Skip to content

Instantly share code, notes, and snippets.

@patio11

patio11/investigation-notes.md Secret

Last active October 1, 2023 02:14
Show Gist options
  • Star 27 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save patio11/598ec35c6c1675c97d93383f41b39b0b to your computer and use it in GitHub Desktop.
Save patio11/598ec35c6c1675c97d93383f41b39b0b to your computer and use it in GitHub Desktop.
Download ZIP
Notes on Wizsec's Mt. Gox investigation
Raw
investigation-notes.md

Notes from Kim Nilsson's presentatio at Breaking Bitcoin regarding Mt. Gox investigation by Wizsec. Presentation available here: https://www.youtube.com/watch?v=l70iRcSxqzo Some of this was previously published on their blog but the presentation has substantial new information.

Any errors/omissions are my (@patio11) fault.

Mt. Gox investigation highlights

  • Since deposits and withdrawls are on blockchain (public), deposits minus withdraws should equal holdings. If there is a large discrepnacny, this is evidence of theft.

  • Mt. Gox did not provide a copy of the database when asked.

    • But Mt. Gox's database had row-level exports leaked multiple times; this allowed partial reconstruction of their transaction history.

  • Wizsec built index of entire Bitcoin blockchain; correlates with all known activity on Mt. Gox.

  • This allows Wizsec to reconstruct wallets; (hidden) relationships between sets of Bitcoin addresses. Wizsec then clusters transaction into wallets.

  • Wizsec de-anonymizes wallets using open source information (e.g. date, amount, and number of confirmations on a public post asking about a Bitcoin issue allows you to associate their forum metadata with their wallet... and catches lots of other transactions).

  • Wizsec identifies ~2 million addresses as belonging to Mt. Gox; allows them to reconstruct Mt. Gox's total holdings over time. Withdraws from Mt. Gox's addresses not corresponding to withdrawl records from database are, presumptively, thefts.

  • They publish, in 2015, details of the thefts.

  • Wizsec hears rumors of CEO's impending arrest. He denies it. He is arrested 8 hours later.

  • By 2016, they have evidence of multiple thefts, including back to 2011.

  • "Mt. Gox was insolvent since 2011."

  • "We had evidence that Mt. Gox was trading its liabilities on its own exchange, later known as the WillyBot."

  • Thefts from Mt. Gox joined the common control of coin flows from other thefts.

  • Wizsec identifies suspect in laundering these thefts, Alexander Vinnik. Avoids mentioning until arrested by US. Alleged by USS to be BTC-e administrator; Wizsec cannot confirm.

  • How did Wizsec identify him?

    • Didn't use tumblers/mixers in 2011
    • Used accounts on exchanges which were robbed/hacked
    • Used his real name online in connection with transactions which touched tainted flows.
    • "If you're going to steal coins, maybe don't [use your real name online]."

  • Wizsec believes that thief and launderer (Vinnik) may not be same recipient. Likely that prior coordination existed, since first hop from hacked exchange was to Vinnik.

  • Mt. Gox's private keys were stolen via losing a copy of wallet.dat

  • How do we know? Wallet.dat once included 100 private keys for future transactions, including for e.g. use of change addresses later.

  • If someone gets a copy of your wallet, "your" next 100 transactions and "their" next 100 transactions will independently use same change addresses for next ~100 outputs. This is easy fingerprintable on blockchain.

  • This lets them date theft: September 11th, 2011, 21:30 UTC.

  • Change from the thief's transactions goes to addresses which Mt. Gox has allocated to customers as deposit addresses, so that each time the thief spends money, the change (which the thief still controls) gets seen by Gox as a deposit by a non-thief depositor.

  • ... this causes those depositors to be credited free BTC on Mt. Gox. This being Bitcoin, they steal those Bitcoins immediately. This doesn't come out of the thief's coins because Mt. Gox doesn't repay people from their own deposit addresses.

  • March 2011: at point Mt. Gox is sold, it is already insolvent.

  • Mt. Gox at multiple times hit 0 reserves of Bitcoins over the years.

  • The pre-2011 theft, which made them insolvent, was actually small.

  • Wizsec walks through several thefts:

    • Unsigned input -> XML injection; $50k USD lost
    • Mt. Gox allows you to withdraw negative USD balances if you pad with whitespace; fixed w/o permanent impact?
    • Hot wallet stolen before handover; 80k BTC lost
      • These coins have not moved since 2011.
      • These thefts cause implementation of "obligation exchange" (WillyBot; internal tool to balance how insolvent they were in USD/etc and how insolvent they were in BTC so as to avoid a liquidity crunch on either)
    • Off-site wallet stolen (May 22, 2011) from unsecured network drive exposed to Internet; 300k BTC lost; thief returns coins for a 3k BTC finder's fee.
      • This is 2nd time Gox loses all reserves
      • Gox promises not to investigate in return for 3k BTC finder's fee.
    • June 6, 2011: Previous administrator's admin credentials popped; thief awards self infinite USD balance and purchases coins then exfiltrates; 2k BTC lost
    • August 18th, 2011: Mt. Gox expands to Europe by taking over debts of (a separate) insolvent Bitcoin exchange; 17k BTC impact
      • "Mark said 'This sounds like a great business opportunity!.'"
    • September 2011: Mt. Gox database hacked; arbitrary read/write happens. 77.5k BTC exfiltrated
      • "They could make changes to the database and boy did they make changes to the database."
      • "Haven't gotten to the main theft yet."
    • Between September 11, 2011 and October 1, 2011, thief gets wallet.dat file, syphons 630k BTC out.
      • Mt. Gox does not notice.
      • "Why would you have no monitoring on holdings?"
    • 48 "lucky people" get free Bitcoin credited to their accounts as thief moves stolen money around (c.f. explanation above); 30k BTC lost
    • October 28th, 2011: Mt. Gox accidentally destroys 2,609 BTC by sending them to an unspendable address via a software bug.

  • Mt. Gox's new wallet software, which was deployed contemporaneously with the above bug, successfully prevents further thefts from Gox.

  • May / August 2013: US seizes $5 million from US subsidiary

  • Impact of Willy ("obligation exchange" trading bot) through trading losses

    • $51.6 million lost
    • 22.8k BTC lost

  • Total BTC lost to thefts/malfeasance: $60 million, ~865k BTC.

  • Mt. Gox reports liabilities of 950k BTC in customer deposits and 100k BTC in assets (company's BTC held on exchange)

  • ... This math actually almost balances: we expect 1.05 million Bitcoins on deposit, we know 865k were lost to malfeasance, and the amount Mt. Gox "finds in an old wallet" after bankruptcy filed is ~220k.

  • Multiple thefts were not survivable.

  • Everything was made worse because of secrecy; company would have been killed in 2011.

  • Remediation advice:

    • Disclose early
    • Don't implement Willy Bot

  • Because monitoring/auditing would have discovered undeniable evidence of insolvency, monitoring was not implemented (for years). It would have spread knowledge within Mt. Gox of the insolvency, and management did not trust employees to not leak this knowledge to public or regulators. This blinded management to additional ongoing thefts.

  • Future research:

  • Track June 2011 theft on blockchain

  • Get in touch with "virtuous" 300k thief

  • Investigate BTC-e connection

  • Find additional traces connecting thefts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment